Hi, this fixes initial findings of trust-after-aci-refactoring investigation. Consider this effort still WIP (not this patch though).
https://fedorahosted.org/freeipa/ticket/4385 -- Tomas Babej Associate Software Engineer | Red Hat | Identity Management RHCE | Brno Site | IRC: tbabej | freeipa.org
>From eb2c9460b0919ff3dbf3c3d45f19f3fc0fc5c092 Mon Sep 17 00:00:00 2001 From: Tomas Babej <[email protected]> Date: Thu, 19 Jun 2014 12:25:56 +0200 Subject: [PATCH] trusts: Allow reading ipaNTSecurityIdentifier in user and group objects https://fedorahosted.org/freeipa/ticket/4385 --- ACI.txt | 4 ++-- ipalib/plugins/group.py | 1 + ipalib/plugins/user.py | 3 ++- 3 files changed, 5 insertions(+), 3 deletions(-) diff --git a/ACI.txt b/ACI.txt index cd19fb90fdd0ac1947393aabfd667e46a6f015fc..b320f5656f734ded939fd3e4a9679870f26a2105 100644 --- a/ACI.txt +++ b/ACI.txt @@ -31,7 +31,7 @@ aci: (targetattr = "a6record || aaaarecord || afsdbrecord || arecord || certreco dn: cn=System: Read Group Membership,cn=permissions,cn=pbac,dc=ipa,dc=example aci: (targetattr = "member || memberhost || memberof || memberuid || memberuser")(targetfilter = "(objectclass=ipausergroup)")(version 3.0;acl "permission:System: Read Group Membership";allow (compare,read,search) userdn = "ldap:///all";;) dn: cn=System: Read Groups,cn=permissions,cn=pbac,dc=ipa,dc=example -aci: (targetattr = "businesscategory || cn || description || gidnumber || ipaexternalmember || ipauniqueid || mepmanagedby || o || objectclass || ou || owner || seealso")(targetfilter = "(objectclass=ipausergroup)")(version 3.0;acl "permission:System: Read Groups";allow (compare,read,search) userdn = "ldap:///anyone";;) +aci: (targetattr = "businesscategory || cn || description || gidnumber || ipaexternalmember || ipantsecurityidentifier || ipauniqueid || mepmanagedby || o || objectclass || ou || owner || seealso")(targetfilter = "(objectclass=ipausergroup)")(version 3.0;acl "permission:System: Read Groups";allow (compare,read,search) userdn = "ldap:///anyone";;) dn: cn=System: Read HBAC Rules,cn=permissions,cn=pbac,dc=ipa,dc=example aci: (targetattr = "accessruletype || accesstime || cn || description || externalhost || hostcategory || ipaenabledflag || ipauniqueid || member || memberhost || memberservice || memberuser || objectclass || servicecategory || sourcehost || sourcehostcategory || usercategory")(targetfilter = "(objectclass=ipahbacrule)")(version 3.0;acl "permission:System: Read HBAC Rules";allow (compare,read,search) userdn = "ldap:///all";;) dn: cn=System: Read HBAC Services,cn=permissions,cn=pbac,dc=ipa,dc=example @@ -117,7 +117,7 @@ aci: (targetattr = "krblastadminunlock || krblastfailedauth || krblastpwdchange dn: cn=System: Read User Membership,cn=permissions,cn=pbac,dc=ipa,dc=example aci: (targetattr = "memberof")(targetfilter = "(objectclass=posixaccount)")(version 3.0;acl "permission:System: Read User Membership";allow (compare,read,search) userdn = "ldap:///all";;) dn: cn=System: Read User Standard Attributes,cn=permissions,cn=pbac,dc=ipa,dc=example -aci: (targetattr = "cn || description || displayname || gecos || gidnumber || givenname || homedirectory || initials || loginshell || manager || objectclass || sn || title || uid || uidnumber")(targetfilter = "(objectclass=posixaccount)")(version 3.0;acl "permission:System: Read User Standard Attributes";allow (compare,read,search) userdn = "ldap:///anyone";;) +aci: (targetattr = "cn || description || displayname || gecos || gidnumber || givenname || homedirectory || initials || ipantsecurityidentifier || loginshell || manager || objectclass || sn || title || uid || uidnumber")(targetfilter = "(objectclass=posixaccount)")(version 3.0;acl "permission:System: Read User Standard Attributes";allow (compare,read,search) userdn = "ldap:///anyone";;) dn: cn=System: Remove Users,cn=permissions,cn=pbac,dc=ipa,dc=example aci: (targetfilter = "(objectclass=posixaccount)")(version 3.0;acl "permission:System: Remove Users";allow (delete) groupdn = "ldap:///cn=System: Remove Users,cn=permissions,cn=pbac,dc=ipa,dc=example";) dn: cn=System: Unlock User,cn=permissions,cn=pbac,dc=ipa,dc=example diff --git a/ipalib/plugins/group.py b/ipalib/plugins/group.py index 581ee70b635da0f4d85633b7db367229113f9f73..58934ad07c1d20ffcab1427029e60ba896f79ed0 100644 --- a/ipalib/plugins/group.py +++ b/ipalib/plugins/group.py @@ -150,6 +150,7 @@ class group(LDAPObject): 'businesscategory', 'cn', 'description', 'gidnumber', 'ipaexternalmember', 'ipauniqueid', 'mepmanagedby', 'o', 'objectclass', 'ou', 'owner', 'seealso', + 'ipaNTSecurityIdentifier' }, }, 'System: Read Group Membership': { diff --git a/ipalib/plugins/user.py b/ipalib/plugins/user.py index 2ffc1ef4bd873db4a3d5d3156d9a839b0b8f2881..a752d7883cfaead45030d1dc928eda9cf331b3e3 100644 --- a/ipalib/plugins/user.py +++ b/ipalib/plugins/user.py @@ -266,7 +266,8 @@ class user(LDAPObject): 'ipapermdefaultattr': { 'objectclass', 'cn', 'sn', 'description', 'title', 'uid', 'displayname', 'givenname', 'initials', 'manager', 'gecos', - 'gidnumber', 'homedirectory', 'loginshell', 'uidnumber' + 'gidnumber', 'homedirectory', 'loginshell', 'uidnumber', + 'ipaNTSecurityIdentifier' }, }, 'System: Read User Addressbook Attributes': { -- 1.9.3
_______________________________________________ Freeipa-devel mailing list [email protected] https://www.redhat.com/mailman/listinfo/freeipa-devel
